On Mon, Sep 9, 2013 at 3:19 PM, Werner Koch <w...@gnupg.org> wrote: > Due to public demand I enabled https for www.gnupg.org on v4 and v6. IT > is a 2048 bit CaCert certificate, so you need to install the cacert root > certificate.
Excellent. > Note also that recent Mozilla browsers tell you in the certificate > details that they can't verify the certificate because it uses an > insecure algorithm - which seems to be SHA-1. Now if SHA-1 would be the > weakest link in the whole web security domain we could easily solve all > problems. It is just funny how they try to fix a broken infrastructure. According to https://www.ssllabs.com/ssltest/analyze.html?d=www.gnupg.org&hideResults=on that's because the CAcert Class 3 intermediate cert was signed using MD5, which is indeed insecure for such purposes. See http://www.win.tue.nl/hashclash/rogue-ca/ They have a newer Class 3 intermediate cert at http://www.cacert.org/index.php?id=3 that is signed by the CAcert root using SHA256. Simply swapping out the intermediates should solve the issue. Personally, I prefer the free certs issued by StartSSL as their root is installed by default in most systems/browsers. The CAcert root isn't (yet -- there's a bunch of work needed to be done to get the CAcert root to pass an audit and be included). Your mileage, of course, may vary. -- Pete Stephenson _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users